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o 

Cn ' Abstract. This is the third in a series of papers in which we study the n- 

Selmer group of an elhptic curve, with the aim of representing its elements 
as genus one normal curves of degree n. The methods we describe are 
practical in the case n = 3 for elliptic curves over the rationals, and have 
been implemented in MAGMA. 

One important ingredient of our work is an algorithm for trivialising 
central simple algebras. This is of independent interest: for example, it 
could be used for parametrising Brauer-Severi surfaces. 
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1. Introduction 

Descent on an elliptic curve E, defined over a number field K, is a method 
for obtaining information about both the Mordell-Weil group E{K) and the 
Tate-Shafarevich group III(ii^/i^). Indeed for each integer n >2 there is an 
exact sequence 

-^ E{K)/nE{K) -^ Se\^''\E/K) -^ m{E/K)[n] -^ 

where Ser^'{E/K) is the n-Selmer group. 

This is the third in a series of papers in which we study the ra-Selmer 
group with the aim of representing its elements as genus one normal curves 
C C P"~^ (when n > 3). Having this representation allows searching for 
rational points on C (which in turn gives points in E{K), since C may be 
seen as an ra-covering of E) and is a first step towards doing higher descents. 
A further application is to the study of explicit counter-examples to the 
Hasse Principle. 

The Selmer group Se\^^'{E/K) is a subgroup of the Galois cohomology 
group H^{K, E[n]), which parametrises the n-coverings of E. An n-covering 
TT : C — 7- E' represents a Selmer group element if and only if C is everywhere 
locally soluble, i.e., C has i^^-rational points for each completion Ky of K. 
In this case it was shown by Cassels [1] that C admits a i^-rational divisor 
D of degree n. We can then use the complete linear system |D| to embed 
C C P"^^ as a genus one normal curve of degree n, when n > 2. (For n = 2 
we obtain instead a double cover C — )■ P^.) More precisely, Cassels' argument 
shows that S^^\E / K) is contained in the 'kernel' of the obstruction map 
Oh : H\K, E[n]) ^ Bt{K). 

In the first paper of this series [13] we gave a list of interpretations of 
H^{K,E[n]) and of the obstruction map. Then we showed how, given 
C, G H^{K, E[n]), to explicitly represent Ob(^) as a central simple algebra A 
of dimension n^ over K, by giving structure constants for A; we call A the 
obstruction algebra. In the case ^ G Se\^^'{E/K), we have A = Ma.tn{K). 
Assuming the existence of a "Black Box" to compute such an isomorphism 
explicitly, a process we call trivialising the obstruction algebra, we then out- 
lined three algorithms to compute equations for C C P'^"^. These were called 
the Hesse pencil, flex algebra, and Segre embedding methods. 

In the second paper [2] we developed the Segre embedding method. In 
this paper we are again concerned with the Segre embedding method. We 
give an outline of the work in the earlier papers, and then give further details 
of the algorithms. In particular, taking K = Q and n = 3, we explain our 
method for trivialising the obstruction algebra. (See Section [G) Inside the 
Black Box). 
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Returning to general n, we observe that 

Sel("^")(E/i^) ^ Sel("^)(E/ir) X Sel(")(E/ir) 

whenever m and n are coprime. Therefore for the purposes of computing 
Selmer groups we can restrict our attention to prime powers n. Then, if 
n = p^ with / > 2, the most efficient way to proceed seems to be to first 
recursively compute Sel^^ '(E/K), to realise the elements of that Selmer 
group as suitable covering curves (using the methods of this paper, for ex- 
ample), and then to compute the fibres of the natural map Sel^^ \E/ K) — >■ 
Sel'^ ' (E/K) via p-descents on these covering curves. This has been worked 
out for p = 2 and / = 2 by Siksek [37], Merriman, Siksek and Smart [30] . 
Cassels [6] and Womack [H]; for p = 2 and / = 3 by Stamminger [39]; and 
for odd p and / = 2 by Creutz [T6] . 

In Sections 12.21 and 12.31 we recall the construction of an etale algebra (that 
is, a product of number fields) R and a homomorphism d : R^ — )■ {R^ R)^ 
such that Sel*-""-* (E/K) may be realised either as a subgroup of (R^R) ^ /dR'^ , 
with elements represented by p G (i? ® i?)^, or as a subgroup of -R^/(i?^)", 
with elements represented by a G R^ . The first of these works for any 
n > 2 and is better suited to the computation of the obstruction algebra 
and equations for C. The second only works for prime n, but is better 
suited to computing the Selmer group itself, in that the class group and 
unit calculations are more manageable. So in Section 12. 4[ we discuss how 
to convert from one representation to the other (from a to p). The Segre 
embedding method is then reviewed in Sections 12.51 and 12.61 

It is sometimes convenient to assume n > 2. For example, when n = 2 the 
map C — )■ P^ is a double cover rather than an embedding. However, if the 
Segre embedding method is suitably interpreted in the case n = 2, then it 
corresponds exactly to the classical number field methoqjfor 2-descent. This 
is explained in Section |3l In Section HI we give an equally explicit description 
of our algorithms in the case n = 3, assuming the action of Galois on E[3] is 
generic. We do not give full details of the modifications required to handle 
the other Galois actions as this would be unduly tedious, though each case 
had to be handled in detail in our MAGMA implementation. 

Starting with a G R^ , we write down structure constants for the obstruc- 
tion algebra A. Then we trivialise the algebra A. Using the trivialisation, we 
obtain a plane cubic C C P^. Now, the element a is typically of very large 
height: it comes out of a class group and unit calculation that involves many 
random choices. Consequently, the first equation for C which we obtain is a 



^ An alternative method for 2-descent over K = Q, based on invariant theory, is 
implemented in mwrank [lOj . and is competitive over a large range of curves, but seems to 
become impractical in other cases: when if is a larger number field, or when n > 2. 
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ternary cubic with enormous coefficients. In order to obtain a more reason- 
able equation, we finally use our algorithms for minimisation and reduction 
(see [15]) to make a good change of coordinates. 

In our original implementation for K = Q and n = 3, we used an ad hoc 
method for trivialising the algebra, which worked well in practice, but which 
we could not prove always terminates. It became clear that the algorithm 
could be improved by carrying out steps equivalent to minimisation and 
reduction at an earlier stage. Firstly, a should be replaced by a good repre- 
sentative modulo nth powers, as has already been described in [211 Section 
2]. Then we should choose a good basis for the obstruction algebra, so as to 
make the structure constants small integers. This is described in Section \5\ 
and makes trivialising the obstruction algebra very much easier. (In fact, 
this trivialisation is again a problem of "minimisation and reduction" type.) 
As a result, the algorithms in ^5j, although still required, do not need to 
work so hard. 

In Section [6] we describe our methods for trivialising the obstruction al- 
gebra. Since our methods are of independent interest, we have made this 
section self-contained. For instance our methods could be used to improve 
the algorithm in [26j for parametrising Brauer-Severi surfaces. 

One peculiar feature of the Segre embedding method is that in our initial 
implementation (for K = Q and n = 3) it was necessary to multiply by a 
"fudge factor" 1/y to ensure that the projection of C C F{A) to the trace 
subspace is contained in the rank 1 locus. The need for this factor was 
justified by a generic calculation specific to the case n = 3. In Section [7] we 
give a better explanation, based on the theory in [l4j, that works for all odd 
integers n. 

Finally, we give examples of the algorithm in practice, in Section [HI One 
application of our work is that it can help find generators of large height on 
an elliptic curve. Indeed the logarithmic height of a rational point on an 
ra-covering is expected to be smaller by a factor 2n compared to its image on 
the elliptic curve. (See |23] for a precise statement.) Our work in the case 
ra = 3 is a starting point both for the work on 6- and 12-descent in |20], and 
for the work on 9-descent in [16]. In Section [8] we instead use our methods 
to exhibit some explicit elements of III(£^/Q)[3] and to give some examples 
illustrating that the obstruction map on 3-coverings is not linear. The use 
of our methods to compute some elements of III(ii^/Q)[5] will be described 
in future work. For this we use that the Hesse pencil method (described in 
[T3l Section 5.1] in the case n = 3) generalises to the case n = 5 as described 
in [221 Section 12]. 

Our algorithms have been implemented in (and contributed to) MAGMA 
[31 Version 2.13 and later] for K = Q and n = 3. A first version of the 
implementation was written by Michael Stoll; it was restricted to the case of 
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a transitive Galois action on the points of order 3. Steve Donnelly extended 
the part that computes the 3-Selnier group as an abstract group to cover all 
cases (for K = Q), and Tom Fisher re- worked and extended the part that 
turns abstract Selmer group elements into plane cubic curves, so that it also 
works in all cases. 

Our programs are currently specific to the case K = Q. The two main 
obstacles to extending them to general number fields are as follows. Firstly, it 
would be necessary (unless the Galois action on E[3] is smaller than usual) to 
compute class group and units over number fields of larger degree. Secondly, 
we do not have a suitable theory of lattice reduction over number fields. 
Notice that our algorithms over K = Q are dependent on the LLL-algorithm, 
first in [211 Section 2], then in Sections |5] and [6] and finally in [15]. It is 
possible that the algorithms described in [18j could be used here, and this 
will be the subject of future work. 

2. Algorithms in outline 

In this section we give an outline of the algorithms used in our imple- 
mentation of explicit 3-descent on elliptic curves over Q. However, as far 
as possible in this overview, we keep to the case where n is general and the 
base field is a general number field K. Details specific to the case n = 3 
can be found in Section H] below. Our description here is based on what was 
called the 'Segre embedding method' in [131 E]. We begin with a review of 
the computation of the Selmer group as an abstract group. When we talk 
about the 'generic case' below, we refer to the situation when the action of 
the Galois group Gk on E[n] induces a surjective homomorphism of Gk onto 
Autz/nz{E[n]) = GL2{Z/nZ). When K = Q and E is fixed and non-CM, 
this will be the case for all but finitely many prime values of n. It will also 
be true for the generic elliptic curve y"^ = x^ + ax + b over Q(a, b). 

2.1. Computation of the Selmer group I: The etale algebra. Let E be 

an elliptic curve over a field K. (We will take K to he a number field later.) 
We fix a Weierstraf5 equation for E and denote the coordinate functions with 
respect to this equation by x and y. Let ra > 2 be an integer not divisible 
by the characteristic of K. We let R = Ma.pj^{E[n\, K) be the etale algebra 
of E[n\. The algebra R splits as a product of finite extensions of K corre- 
sponding to the Galois orbits on E[n\, where the component corresponding 
to the orbit of T G E[n] is K{T), the field of definition of T. There is always 
a splitting R = K x L with K corresponding to the singleton orbit {0} and 
L = Ma.pj^{E[n] \ {0},K). If n is a prime p, then generically the Galois 
action is transitive on the points of order p, and L/K is a field extension of 
degree p^ — 1. 
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The tensor product R^k R is the etale algebra of E[n\ x E[n\. We denote 
by Syni^(i?) the subalgebra consisting of symmetric functions: 

Sym^(/?) = {peR®KR\ p(Ti, T^) = p(T2, Ti) for all Ti, T2 G E[n]} 

This is the etale algebra of the set of unordered pairs of n-torsion points. 
As before, these algebras split into products of finite field extensions of K 
corresponding to the Galois orbits on E[n] xE[n] and on the set of unordered 
pairs of n-torsion points, respectively. The algebra Sym|^(i?) contains a 
factor corresponding to unordered bases of E[n] as a Z/nZ- module. When 
n is a prime p, then generically, the Galois group acts transitively on these 
bases, and the corresponding factor of Sym|'(i?) is a field extension of K of 
degree (p^ — l)(p^ — p)/2. 

The group law E[n] x E[n] — )■ E[n] corresponds to the comultiplication 
Ak : R-^ Sym^(i?) C R^k R- We write Tr^^ : RiS)k R -^ R ior the trace 
map obtained by viewing R®k R as an i?-algebra via A^^. In terms of maps 
we have 

A^(«):(Ti,T2)h^«(Ti + T2) and Tr;,(p) : T ^ ^ piTi.T^) . 

Ti+T2=T 

2.2. Computation of the Selmer group II: Using W2- We define 

dK-.R"" ^^ymliRY 

by a I — > = (Ti, T2) ^ 



AK{a) V «(ri+T2) 

In [121 p. 138], we defined another map d, which we here denote d)^ to avoid 
confusion. It is given by 

dP : {R^kRV -^{R^kR^kRV 



P^ 



((Ti,T2,T3)h^ 



p(Ti,T2 + r3)p(T2,T3) 

We let Hk = Sym^i?) "" n ker d^ . _ 

Let R = R ®K K (which is the etale algebra of E[n\ over K), and let 

Sym^(i?) be the etale algebra over K of the set of unordered pairs of n- 

torsion points. Similarly, we write H for H-i^. 

Let w : E{K)[n] — )■ i? be given by 

w{S):T^-^en{S,T) 

where e„ : E[n]x E[n] — )■ p„ denotes the Weil pairing. Then it is easily seen 
that the image of w equals the kernel of dj^. We showed in [13] that the 
following is an exact sequence of Gi^-modules: 

^ E(K)[n] ^R"" %H—>0. 
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Taking cohomology, this gives an isomorphism 

W2 : H'^{K,E[n]) -^ Hk/OW , 

see [13j Lemmas 3.2 and 3.5]. For the construction of exphcit n-coverings 
representing elements ^ G H^{K,E[rt\) (which, in our intended apphcation, 
will be elements of the n-Selmer group), we will need an element p G Hk 
whose image in Hx/dR^ is the image under W2 of C,. 

In principle, we could use W2 to compute such a set of representatives of the 
elements of Se\^"''{E/K) directly, as we now describe. We now assume that 
i^ is a number field. We abbreviate H^ to H (note that what is called H 
in [13] would be H/dR^ in the notation used here) and usually drop the 
subscripts on A, d, etc. 

Recall the Kummer sequence 

— > E{K)/nE{K) ^ H\K,E[n]) — > H\K,E)[n] — ^0. 

For a place v of K, we write R^ = R ®x Ky and Hy = Hk^ . We denote 
the canonical maps H -^ H^ and H/dR^ — ?■ H^/dR^ by res^. The maps 
corresponding to 6 and W2 that we obtain by working over K^ are denoted 
by Sjj and W2,v 

By the definition of the n-Selmer group and the fact that W2 is an isomor- 
phism, we have 

W2(Sel("H^/^)) 

= {p & H/dR^ I res^(p) G im.{w2^v ° ^v) for all places v of K} . 

According to [SB], the image of 6^ is the unramified subgroup of H^{K^, E[n]) 
unless V is infinite and n is even, or v divides n, or the Tamagawa number 
oi E ai V is not coprime to n. Let S be the set of places of K that fall into 
one of these categories. If t> is a place of K and p E H, we say that p is 
unramified at v if pdR^ = W2(0 with ^ G H^{K, E[n]) unramified at v (i.e., 

res,(0 G keT{H\Ky,E[n]) ^ H\K:\ E[n])) 

where K^^ is the maximal unramified extension of K^). This is equivalent 
to saying that the extension R{'~f)/R of etale algebras is unramified at v for 
some 7 G i? satisfying dj = p. Writing Hg for the subgroup of elements 
unramified outside S and Hg for the image of Hg in H/dR^ , we then have 

W2{Se\^''\E/K)) ={peHs\ res^(p) G im(w2,„ o 6^) for all v e S} . 

For an etale i^-algebra A, write Us{A) for the group of 5- units of A, Is{A) 
for the group of ideals of A supported outside S and Cls{A) for the 5-class 
group of A. Then there is an exact sequence 

^ Us{A) ^ A^ ^ Is{A) ^ Cls{A) ^ . 
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The map d induces a homomorphisin from this exact sequence for A = Rio 
the corresponding sequence for A = Sym^(i?). Applying the Snake Lemma 
to the commutative diagram 

i?x H H/dR'' 



_ /,(^) ^ /,(Sym|-(fl)) — ^2(|M _ 

and observing that H^ is the kernel of the right-most vertical map (this uses 
that S contains all primes dividing n), we obtain an exact sequence 

Us{Sjml{R))nH ^ rmo^n 

0^ df^R) >Hs^C\siR) ^0 

where Cls{R)° = ker{d : Cls{R) -^ Cl5(Sym|^(i?))). There are algorithms 
for computing 5-unit groups and 5-class groups of number fields (see for 
example [9, 7.4.2]), which can be applied to the constituent fields of R 
and Sym^(i?). Based on these and the exact sequence above, we can com- 
pute an explicit set of generators of Hg. 

In order to turn the description of SeV--^'{E/K) above into an algorithm, 
we need to be able to evaluate W2^v ° ^v This can be done as follows. 

Let T G E[n]. Then there is a rational function Gt G K{T){E)^ such 
that 

dWiGr) = [nriT) - [nnO) = $^ (P) - J2 (^) ' 

P: nP=T Q: nQ=0 

These functions have the property that Gt{P + S) = en{S,T)GT{P) for 
all S G E[n] and P E E, provided both sides are defined. We can choose 
them in such a way that the map G : T i— )■ Gt is Galois-equivariant. Then 
we can interpret G as an element of R{E)^ . Here, R{E) = K{E) ®k R] 
its elements are Gi^-equivariant maps from E[n] into K{E). Then we have 
G{P + T) = w{T)G{P) ioT P eE\ ^[n^] and T G E[n]. 

For Ti,T2 G E[n] define rational functions r7^i,T2 (compare [HI p. 67]) by 

1 if Ti = O or T2 = O; 

x-x{Ti) iiTi+T2 = 0,Ti^0; 

|-|^^i^-A(T„T.) otherwise, 

where A(ri,T2) denotes the slope of the line joining Ti and T2 (or the slope 
of the tangent line at Ti = T2 if the points coincide). Just as before, we can 
package these functions into a single element r G Sjmj^{R){E)^ . 



EXPLICIT ri-DESCENT ON ELLIPTIC CURVES 9 

Now consider the following diagram with exact rows. 

;i) ^E(K)[n] ^E{K)-^E{K) ^0 

I I 

\G \r 

^E(K)[n]^^B:' ^-F -0 

The dashed arrows indicate the partially defined maps given by evaluating 
the tuples of rational functions G and r. The right-hand square commutes 
by [m Proposition 3.2], provided that we scale the Gt as in the proof of 
Proposition 3.1 of [13]. The left-hand square commutes in the sense that 
the actions of E[n\ on E{K) by translation and on R by multiplication 
via w are related by G, i.e., G{P + T) = w{T)G{P). Chasing through the 
definitions of the connecting homomorphisms 6 and W2, we now easily find 
the following. 

Proposition 2.1. The composition W20 6 is induced by the map r : E{K) \ 
E[n] — y H. 

We can extend r to divisors on E with support disjoint from E[n] by 
defining 

p p 

Then for a principal divisor D = dw{h) we find by Weil reciprocity 

^TuTiiD) = rTi,Ti(div(/i)) = /i(div(rTi,T2)) 

hjTMn) 1 

- hiO)hiT, + T2) - h(o-f^\^i-V{TuT,) . 

We can scale h so that h{0) = 1; then 

r(div(/i)) = dh\E[n] e dR'' 

if /i G K[E)^ . Therefore we obtain a well-defined map 

F : E{K) ^ Pic°(E/K) — > H/dR'' , 

and we have 

W2 o 6 = r . 

This construction is valid over any field K of characteristic not dividing n; 
in particular, it can be applied over K^ to find im(w2,t) ° ^v)- In [SS] there 
is a discussion of how to compute images under local descent maps, which 
applies mutatis mutandis to the situation at hand. 

The following theorem summarises this section. 
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Theorem 2.2. Let K be a number field, E/K an elliptic curve, and n > 2. 
There is an efficient algorithm that computes Se\^^'{E/K), given knowledge 
of class and unit groups of the number fields K{{Ti,T2}), where {Ti,T2} 
runs through unordered pairs of n-torsion points of E. 

Proof. The algorithm proceeds in the foUowing steps. 

(1.) Let S be the set of places v oi K that divide n or such that the 
Tamagawa number of EjK^ is not coprime to ra, together with the 
real places of K when n is even. 

(2.) Construct the etale algebras R and Sym|'(i?). 

(3.) Compute an explicit representation of Hs as defined above. 

(4.) For each f G iS construct H^ = Hx^/dR^, together with the map 
res^ : Hg — )■ H^, and find the local image r{E{K^)) C H^. 

(5.) Compute Sel^^'^E/K) as 

f^Tes-'{¥{E{K,)))cHs. 

The third step (computation of Hg) relies on the computation of the iS-class 
groups and 5- unit groups of the constituent fields of Sym^(i?), which are of 
the form K{{Ti,T2}) as in the statement of the theorem. The 5-class and 
»S-unit groups can be computed from the class and unit groups. D 

As it stands, this result is rather theoretical, since the number fields that 
occur are (in most cases) too large for practical computations: as mentioned 
earlier, when n is a prime p, then usually there is a component of Sym|'(i?) 
that is a field extension of degree (p^ — l)(p^ — p)/2 of K. This is already 
prohibitive when n = 3. However, when n is a prime, there is a better 
alternative, which we describe next. 

2.3. Computation of the Selmer group III: Using Wi. There is a group 
homomorphism (recalled from [13J) 

Wi:H\K,E[n]) ^i?V(i?^)", 

which is obtained by applying cohomology to 

(2) -^ E[n] ^ fin(R) ^ d{fi^(R)) ^ . 

It is shown in [17] and [36] that when n is a prime p, the map wi is injective 
(for any field K of characteristic different from p), and a description of the 
image is given. This can be used for computing the n-Selmer group as a 
subgroup of K^ /{K^Y- 

Let f be a place of K. Then there is an analogous homomorphism 

w^,,:H\K,,E[n])^R':;/{Rl 



■>y.\n 

''V ) 
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The maps fit together in a commutative diagram 

E{K) -^-^ H\K, E[n]) ^^ R^'/^K^Y 



E{K,) ^^ H\K,,E[n]) ^^ i?,V(^. 



x\n 

'V ) ■ 



If Wi and all the Wi^^ are injective (as happens in the case n is prime), then 
this tells us that the n-Selmer group can be realised as an abstract group via 

Sel(") {E/K) ^ R{S, n) n im(u;i) n p| res^^ (im(wi,^ o 6^)) ; 

see [3B]. Here, R{S,n) C i?^/(i?^)" is the subgroup of elements a unram- 
ified outside S (i.e., such that the extension R{\/a)/R of etale algebras is 
unramified outside S). As before, the group R{S, n) can be determined from 
a knowledge of the iS-class and iS-unit groups of the various number fields 
that occur in the splitting of R according to the Galois orbits on E[n\. 

Note that in [36], the etale algebra L (denoted there by A) is used instead of 
R = KxL. If a G R"" represents some ^ G H\K,E[n]), then a{0) G {K'')'', 
so without loss of generality we can assume that a{0) = 1. Therefore all the 
relevant information is already contained in the L-component. 

If n is not a prime, then the map Wi need not be injective: see Section [231 
for an example with n = 4. For the realisation of wioS, consider the following 
diagram analogous to ([I]): 

^ E(K) [n] ^ E(K) -^ E{K) ^ 

I I 

\G \F 

-^^n(R) -Tf^^-R'' -0 

Here, F G R{EY is the function such that FT{nQ) = Gt{QT for all T G 
E[n]. The divisor of Ft is n{T) - n(0), and if F(nQ) = g[qY with G G 
R{EY, then F induces a well-defined map F : E{K) \ E[n] — > i?^/(i?^)", 
independent of the particular choice of F. In the same way as discussed after 
Proposition 12. 1[ we can extend this map F to a map on divisors with support 
disjoint from E[n], which only depends on the linear equivalence class, and 
therefore gives rise to a homomorphism 

F : E{K) = Pic\E/K) ^ i?V(i?^)" . 

This leads to a new proof of the following well-known fact. 

Proposition 2.3. The composition wi o S : E[K) — )■ R^ /{R'^Y ^■^ given 
byF. 
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Again, this works for any field K of characteristic not dividing n, and so 
we can use it for evaluating the local maps 5^. The algorithm for computing 
Se^"'-' (iT, E) then proceeds as before, but now working within R instead 
of Sym|'(_R). The functions Ft can be evaluated at a given point using 
Miller's algorithm [31], which follows the computation of nT and keeps track 
of the functions rr^,r2 witnessing the intermediate sums; it is not necessary 
to compute an expression for Ft in terms of the coordinateson a Weierstrafi 
equations of E (which will be quite complicated when n is large). In practice, 
however, even moderately large n quickly make computations infeasible, so n 
will be rather small, and it is no problem to work with an explicit expression 
for Ft as a function. Such an expression is also helpful for computing e as 
defined by ([9]) below. 

Theorem 2.4. Let K he a number field, EjK an elliptic curve and p a 
prime number. There is an efficient algorithm that computes '^ev-^'{E/K), 
given knowledge of class and unit groups of the number fields K{T), where 
T runs through points of order p on E. 

Proof. The algorithm proceeds in the following steps (see [56] ) . 

(1.) Let S be the set of places v oi K that divide p or such that the 
Tamagawa number of E/K^ is divisible by p, together with the real 
places of K when p = 2. 

(2.) Construct the etale algebra R. 

(3.) Compute an exphcit representation of i?i = R{S,p) fl im(wi). 

(4.) For each v E S construct Hy = R^/{R^y, together with the map 
res^ : R{S,p) — )■ Hy, and find the local image F{E{Ky)) C Hy. 

(5.) Compute SeP\E/K) as 

i?i n fl TeSy\F{E{Ky))) C R{S,p) . 
ves 

D 

2.4. Changing algebras. For the purpose of constructing explicit models 
of n-coverings representing the various elements of the n-Selmer group, we 
need to represent the Selmer group elements by elements p E H . So after 
computing Sel'^^ (E/K) as in Theorem 12.41 we need to convert the elements 
a e R^ we obtain as representatives into elements p E H. Note that for this 
purpose it is helpful to choose a small representative for the class of a up to 
nth powers, by applying the method in [2T| Section 2] over each constituent 
field of R. 

Recall that H is the subgroup of elements p E Sym|^(i?)^ satisfying 

(3) p{T,,T2+Ts)p{T2,Ts) = p{T,,T2)p{Ti+T2,Ts) ioi a\\ T,,T2,n E E[n]. 
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Lemma 2.5. Let a G R^ represent an element in the image of wi, i.e., 
a{R^)"' = Wi{C,) for some C, G H^{K,E[n]). Then there exists p E H satis- 
fying da = p" and 

(4) a(T) = nr=o' PiT, iT) for all T e E[n]. 

Moreover if p E H satisfies (^ then da = p" and pdR^ = W2{C) for some 
C e H\K,E[n]) with wi(0 = wi{^'). 

Proof: This is [T3l Lemma 3.81. □ 



To convert a to p we first extract an nth root of da in Sym|^(i?). We 
tfien multiply by an ntfi root of unity in Sym|;(i?) to find p satisfying (^ 
and (jl]). Tlie simplest case, which occurs frequently in practice, is when 
Sym^(i?) contains no non-trivial nth. roots of unity. There is then a unique 
choice of p. In general we can avoid checking all the conditions in ([3]) by 
determining in advance the number of solutions for p. 

Definition 2.6. Let F be the group (under pointwise operations) of all maps 

7 : _E[n] — 7- p„ satisfying 

7(crTi)7(crT2) |^7(Ti)7(T2 

cr 



for all cr G Gk and Ti, T2 G E[n]. 

Let G ^ Gal{K{E[n])/K) be the subgroup of GL2(Z/nZ) describing the 
action of Gk on E [n] . The action of Gk on p„ is given by the determinants of 
these matrices. Hence F depends only on G. Indeed, given generators for G, 
it is easy to compute F using linear algebra over Z/nZ. The following lemma 
shows that the number of solutions for p in Lemma [2.51 is #9F = (#F)/n^. 

Lemma 2.7. (i) There is an exact sequence of abelian groups 

— ^ E[n] ^T ^dT ^0. 

(ii) dV = {peH : nr=o^ p(T, iT) = 1 for all T G E[n]}. 

Proof: (i) Since F C Pn{R), this is obtained by restricting the exact se- 
quence (EJ. We note that if 7 G w{E[n]) then 7 : ii^[ra] — )■ p„ is a group 
homomorphism and so clearly 7 G F. 
(ii) By [T3^, Corollary 3.6] every p E H can be written a.s p = d'j for some 

7 G -R . We note that if p = ^7 then 

n-l 



np(T,zT)=7(T)' 
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Hence the group on the right of (ii) consists of elements ^7 where 7 G 
fin{R) = Map (i?[n],/i„) and ^7 : E[n] x E[n] — )■ /i„ is Galois equivariant. 
From Definition 12.61 we recognise this group as dT. D 

Lemma 2.8. The kernel of wi : H^{K,E[n\) — > R^/{R^)"-' is isomorphic to 

Proof: This is seen by taking Galois cohomology of the short exact se- 
quence (|2]) and recalling that wi is the composite of w* and an isomorphism 
H\K,fx^(R))^Rx/{R^)\ D 

In the case n = p is prime it is shown in [TTj, [36] that wi is injective. 
Then by Lemma 12.81 each of the i^dT possibilities for p represent the same 
element of H/dR^ . The lemma also gives a formula for ^dT. Writing dim 
for the dimension of a Z/pZ- vector space we have 

dim(9r = dim d{fip{R)) = dim fip{R) — dim E{K)[p]. 

For general n we can use Lemma [2.81 to check whether wi is injective. As 
promised in [131 Section 3], we give an example to show that wi need not 
always be injective. 

Example 2.9. Taking n = 4 we consider the elliptic curve E/Q with Weier- 
straB equation 

y2 = a;^ + x + 2/13. 

A calculation using division polynomials shows that [Q(i?[4]) : Q] = 48. 
Hence G C GL2(Z/4Z) is a subgroup of index 2. There are precisely three 
subgroups of index 2 in GL2(Z/4Z). These may be viewed as kernels of 1- 
dimensional characters, one of which factors via the determinant and another 
via the natural map to GL2(Z/2Z) = S3. Thus the 3 possibilities for G 
correspond to whether —1, A^ or — A^ is a rational square. In this example 
Ae = -(112/13)2. Computing F from G we find #F = 2^ It follows by 
Lemma [2.7( 1) that #9F = 2^. The points of order 2 and 4 on E' each form a 
single Galois orbit, and their fields of definition do not contain a/— 1. Hence 
#E(Q)[4] = 1 and #a(/i4(i?)) = #yU4(^) = 2=^. It follows by Lemma [2S] 
that Wi has kernel of order 2. 

This example shows it would be difficult to do a 4-descent directly using 
the map Wi. Fortunately there are better ways of doing 4-descent: see the 
introduction for references. 

2.5. Initial equations for the covering curves. Let C^ ^ E he the n- 

covering corresponding to some ^ G H^{K,E[n\). In this section we are 
concerned with finding an explicit model for C^ as a genus one normal curve 
of degree n^ in P" ^^. 
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We explain first why we need to work with p & H representing ^, rather 
than with a G R^ . Recall the commutative diagram 

E{K) H\K, E[n]) 



F 

from Proposition I2.3[ The i^-rational points on C^ should map to the points 
in E{K) whose image under S is ^, so whose image under F = wi o S is 
a{R^)"'. This suggests defining the covering curve by 

(5) {(P, z)eEx A{R) : F{P) = az^} , 

where K{K) denotes the affine space over K corresponding to the ii'-vector 
space R (note that A(i?) was denoted 7^ in [H]). Working over K and 
writing zt for ^(T), which is the value at T of 2; G i? considered as a map 
on E\p\, we note that the zt can be used as a set of coordinateson k{R)\ 
hence the equation in ([5]) may be written as 

Ft(P) = a{T)z^ for all T G E\n\ . 

We see that for each point P G E\E\n\^ there are r? independent nth roots 
to take to obtain the zq^. This makes n^ choices for z, yet the covering map 
C^ -^ E has degree only n^. The equation for T = O reads 1 = z'q (without 
loss of generality, a{0) = 1), so we can eliminate a factor of n by setting 
zo = 1. Also, by considering z with 2:0 = 1 as a representative of a point 
in the projective space F{R) associated to A{R) and taking the closure in 
E X P(-R), we may 'fill the gaps' in (jS]) at the points with P = O (where 
the Ft have a pole). This now defines a projective curve C covering E by 
a map of degree n" ~^. When n = 2, this curve splits into two isomorphic 
components, and after projecting to P(i?) we obtain an intersection of two 
quadrics defining the desired curve C^. This case will be discussed further 
in Section [3l 

If ra > 2, then the curve C defined above splits into ra" ~^ geometric 
components. To see this, we may work over an algebraically closed field K; 
then we can take a = 1. We obtain an embedding 

L-.E^C, P^^ {nP, G{P)) 

where G : E ^ P(P) is induced by G : E \ E[n] -^ k{R) (recall that 
F{nP) = G{P)"'). Its image is an n-covering of E by projection onto the 
first factor, and the action of S' G E[n] on it is given by zt i— )■ en{S,T)zT- 
In addition, jJn{R) acts on C in an obvious way which is compatible with 
the action of E[n] and the map w : E[n] -> fJ,n{R)- Taking into account that 



16 J.E. CREMONA, T.A. FISHER, C. O'NEIL, D. SIMON, AND M. STOLE 

f^n = f^n{K) C ^n{R) acts trivially on P(-R), this shows that the components 
of C are parametrised by /x„(i?)/(w(-E[n])/i„). This is still true over arbitrary 
fields K, and with a representing any ^ G H^{K,E[n])] in this case the set 
of geometric components of C is isomorphic to yLi„(i?)/(w(-E[n])/i„) as a 
Galois module. In some cases, this module has only one element defined 
over K, so there is only one component of C that is defined over K, which 
must be the one we seek. But in general, there can be a large number of 
ii'-rational components; and in any case, the equations one obtains (having 
degree n > 2) are not of the desired form, and it seems rather difficult to 
pick out the relevant component. 

Instead, we work with p & H representing ^. The analogue of the above 
diagram is provided by Proposition 12.11 

E{K) H^{K, E[n]) 



H/dR'' 

We can now define our covering curve using the relation r{P) = pdz. Setting 
2;o = 1 as above, and then homogenising, this reads as 

(6) Cp = {(P, z)eEx F{R) : r{P)zoA{z) = p ■ {z ® z)} C E x F{R) 

with the covering map Cp -^ E given by projection to the first factor. Note 
that ^ is quadratic in z. Over K, in terms of the coordinates zt, the 
equations read 

rTi,T2iP)^OZTi+T2 = piTi,T2)zTiZT2 

with Ti,T2 G E[n\. It is shown in [H] that projecting to ¥{R) (which is 
equivalent to eliminating P & E) gives 'n?{'n? — 3)/2 linearly independent 
quadrics defining Cp C P(-R) = P" ~^ as a genus one normal curve of degree 
■n?. 

The equations for Cp C P(i?) are obtained from 

(7) {X-xt)zI~p{T,-T)ztz.t 
for T G E[n] \ {0} and 

(8) (At - A(Ti, T2))zoZt - p(Ti, T2)zt^zt2 

for Ti,T2,T G E[n] \ {0} with Ti + T2 = T, by taking differences to elim- 
inate the indeterminates X and Ay. In fact the equations recorded in [1 
Proposition 3.7] are these differences. 
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2.6. Improved equations for the covering curves. Suppose p ^ H rep- 
resents an element ^ G H^{K,E[n]) with trivial obstruction (as defined 
in [131 E]), for example a Selmer group element ^ G Ser^'{E/K). In the 
previous section we showed how to write the covering curve Cp as a curve of 
degree n"^ in P" ~^. We now want to write it as a curve of degree n in P"~-^. 
We recall how to do this using the Segre embedding method, as described in 
[131 Section 5.3] and [H]. 

First we fix the scaling of the Ft so that each has leading coefficient 1 
when expanded as a power series in the local parameter x/y at O. Then we 
define e e {R^k R)"" by 



(9) £m,T2 



Ti+Ta 



(P) 



FtAP)Ft,{P-T, 



(which is independent of P G -E), compare Step 2 on p. 154 in [13]. Let *ep 
be the new multiplication on R defined by 

zi *ep Z2 = Tr(ep ■ {Zi (g) Z2)) . 

Then the obstruction algebra Ap = {R, +, *ep) is a central simple algebra 
over K of dimension n^. Since we are assuming that p represents an element 
with trivial obstruction we have Ap = Mat„(_R'). In Section [H] we discuss how 
to find such an isomorphism explicitly. 

Recall that we have equations for Cp C P(-R). Since R and Ap have the 
same underlying vector space, and we have now trivialised the obstruction 
algebra, we get Cp C P(Mat„). We project Cp away from the identity matrix 
onto the hyperplane of trace zero matrices. The result is a curve C lying in 
the locus of rank 1 matrices. In other words the inclusion of this curve in 
P(Mat„) factors via the Segre embedding 

pn-l ^ (pn-l)V ^ p(Mat„) . 

Projecting onto a row or column gives either the degree-n curve C -^ p"-i 
we are looking for, or its dual C — )■ (P"~^)^, which is a curve of degree n"^ —n. 
Writing zER = KxLa.sz= {zq, z'), the projection to the subspace of 
trace-zero matrices corresponds to eliminating zq from the equations (recall 
that Tr(Mr) = for T 7^ O, where Mt gives the action of T on the ambient 
space P"-i of C). We note that if Ti + T2 = T[ + T^ = T and {Ti,T2} ^ 
{Tl, T2'} then A(Ti, T2) 7^ X{Tl, T^). Assuming n > 3, it is clear by ([7D and ([HD 
that eliminating zq by linear algebra will reduce the dimension of the vector 
space of quadrics by exactly n^. So after trivialising the algebra we have 
71^ {n^ — 5)/2 quadrics that are a basis for the space of quadrics vanishing on 



C C P(Tr = 0) ^ P^ 



,2. 



2 
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Together with the quadrics that are a product of a hnear form and the trace 
form, these span the space of quadrics vanishing on 



C C P(Mat„) = P"'"\ 

Lemma 2.10. Let C C P"^i he a genus one normal curve with homogeneous 
ideal I{C) C K[xi, . . . ,x„]. Let C he the image of the map C — )■ P"-~i x 
^n-iy _^ P(Mat„) with homogeneous ideal I{C) C K[zii, zu, ■ ■ ■ , Znn]- If 
f G K[xi, . . . , Xn] is a homogeneous form, then 

f{Xi,...,Xn)eI{C) 4=» f{zii,Z21,...,Znl) e I{C) . 

Proof: This is clear since the dual curve spans (P"~^)^. □ 

The quadrics vanishing on C C P"~i may now be computed by linear 
algebra. If n > 4 then these quadrics define C. (In fact they generate the 
homogeneous ideal.) When n = 3 the equation for C is a ternary cubic. In 
Section H] we explain how this too may be computed using linear algebra. 

3. Application to 2-descent 

We show that the method sketched above reduces in the case n = 2 to clas- 
sical 2-descent, as described, for example, in [5], |3S]) ^ind with algorithmic 
details in [5B] . 

Let E be given by a short Weierstrafi equation: 

E : y'^ = f{x) = {x- ei){x-e2){x- e^). 

Let Ti = (cj, 0). We have R = K x L where L = K[e] is the cubic /^-algebra 
generated by e with minimal polynomial f{x). Let a G R^ represent a 
Selmer group element. We write «« = a(Tj). Without loss of generality the 
i^- component of a is 1, and we may regard a as an element of L^. It is well 
known (see [35[ Theorem 1.1]) that Wi induces an isomorphism 

H\K,E[2]) = ker (^^(L^)^ ^ ^^(K^)^). 

Therefore a has square norm, say Nij^cx = oixa^aj, = b^ for some b G K^ . 
Taking Fy. = x — Cj in ([5]), and setting zq = 1, we obtain equations 

X — Ci = aizf for i = 1, 2, 3 

(10) .V 

y = ±bziZ2Zs 
where Zi = z{Ti). Alternatively, since 

r(T T) = I "^ " ""^ '^' = ^ 

^ "^^ U/(x-e,) if {^,j,A;} = {1,2,3}, 
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and a & R^ corresponds to p E H where 

tti a i = j 



piTi,Tj] 



h/ak if {z,j, A;} = {1,2,3}, 



we obtain the same equations using ([H]). The components of r and p where 
one of the torsion points is O are all trivial. Notice that switching the sign 
of h multiplies p by ^7 where 7 = (1, —1) E K x L. 

The first three equations in (fTOl) may be written (after homogenisation) 

as 

X — eu\ = au^, 

where u = uq + uic + U2e^ is an "unknown" element of L^ . Expanding 
and equating coefficients of powers of e gives two quadrics in uo,ui,U2,U3, 
defined over K, which define Cp C P^ as a curve of degree 4. We would like 
to write Cp as a double cover of P^. The classical approach is to observe 
that one of the quadrics does not involve M3 and hence defines a conic S in 
P^(uo, Ml, ^^2); the projection to S* is a double cover Cp — )■ 5. If a is a Selmer 
group element then S* = P^. In practice one expresses the isomorphism 
P"*^ — )■ 5 as a parametrisation Uj = qj{vo, vi) for j = 1, 2, 3, where the qj are 
binary quadratics; substituting into the first quadric in the Uj, in which the 
only term involving U3 is (a non-zero constant times) «§, we find an equation 
for Cp of the form u^ = Q{vo, Vi) where Q is a binary quartic. 

To obtain the 2-covering map Cp -^ E we simply substitute in fllOl) to 
recover x, while y is determined up to sign by y"^ = NijKiau^)- Hence we 
have two possibilities for the covering map, which differ by negation on i?; 
these 2-coverings are equivalent. 

We now compare with the Segre embedding method as described in Sec- 
tion 12.61 The obstruction algebra is A = (_R, +, *ep) where using ([9]) we 
compute 



eiT- T) = I ^/•^'(^^) if ^ = J 

^ ^' ^' I l/(ej - Cj) otherwise. 



Let S = {z E F{A) : Trd(2;) = Nrd(2;) = 0}. Our general recipe says that if 
we project Cp to the plane {Trd(2;) = 0}, then the result lies in S. This gives 
Cp as a double cover of S. In fact, S is defined hj zq = and z *ep z = 0. 
The latter works out as 

which is one of the quadrics in the pencil defining Cp. Hence our conic S 
is the same as that considered in the classical approach. The problems of 
trivialising A and finding a rational point on S are clearly equivalent. Once 
we have trivialised A we get an isomorphism 5 = P^ by projecting to a row 
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or column (it does not matter which, since P^ is self-dual). Exactly as before 
we can then write Cp as a double cover of P^. 

4. Application to 3-descent 

We give further details of our algorithms in the case n = 3. Let E be an 
elliptic curve over a number field K. We fix an isomorphism i5[3] = (Z/3Z)^, 
say Tij I— !■ («, j), and let T = Tn. We assume that the Galois action on i?[3] 
is generic, in the sense that pE^z ■ Gk -^ GL2(Z/3Z) is surjectivcl. Then 
there is a tower of number fields 

M = K{E[3]) 



M+ 

3 



L = K{T) 



K 

where M^ is the subfield of M fixed by Tij h-> Tji and L^ is the subfield of 
L fixed by 0" : T I— )■ — T. We write tij : L ^ M for the embedding given by 
T I— !■ Tij. Thus til is the natural inclusion and Cij o a = L_i_j. 

There are two orbits for the action of Gk on E[3], with representatives O 
and T, and six orbits for the action of Gk on E[3] xE[3], with representatives 



(0,0), {T,0), {0,T), {-T,~T), {T,-T), {T,o,T, 



01 y 



chosen so that each pair sums to either O or T. Using these representatives 
we identify R = K x L and (writing r = (ri, r2), s = (si, S2) with ri, Si G K, 
r2,S2 e L) 

R0kR = KxLxLxLxLxM 

The comultiplication A : R -^ R ^k R is given by 

(ri,r2) ^-^ (ri, r2, r2, r2, n, r2) 



^If iiT = Q then there are exactly 8 possibihties for [■ni{pE,3) up to conjugacy. Our 
MAGMA implementation relies on a similar analysis of all 8 cases. 
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and the trace map Tr : R ®k -R — )■ -R by 

(12) (a, 61, 62, h, hi, c)^ [a + TiL/K{h), &i + &2 + &3 + Tr m/l(c)) . 

In Section 12.31 we showed how to compute a = (1, a) G R^ representing 
an element of Se\^^'{E/K). We now compute 

u = v^acr(a), V = \/iio(a)'-oi(a)/a, 

by extracting cube roots in L"*" and M"*". Since detp£;^3 is the cyclotomic 
character, these fields have no non-trivial cube roots of unity. Hence u and 
V are uniquely determined. The elements e and p in R ®k R are defined by 

£ = (l,l,l,l,l,e3(Tio,Toi)) 

where 63 : £'[3] x E\fi] — )■ p^ is the Weil pairing. The reader is warned that 
this e is different from the one given in ([9]) . We explain how to correct for this 
in Section [71 The sign convention we use for the Weil pairing does matter, 
but is not worth fixing here since we can correct for it later if necessary. 

Let «!,...,«§ be a basis for L over K. (In Section O we describe how to 
make a good choice of basis.) Then R has basis ri, . . . , rg where ri = (1,0) 
and Tj+i = (0,-Uj). Structure constants Cijk G K for the obstruction algebra 
A = {R, +, *£p) are now given by 

Tr{ep{ri ® r^)) = J2l=i CijkTk- 

The Cijk are computed using the formulae fITT]) . flT2|) and flT3l) . Since a 
represents a Selmer group element we know that Ap = Mat3(i^). In Section [H] 
we show how to find such an isomorphism explicitly. In other words, we find 
(non-zero) matrices Mi, . . . , Mg G Mat3(i^) satisfying 

(14) M,M, = Y!'k=iC^kMu. 

We fix a WeierstraB equation y"^ = x^ + ax + h for E and let T = {xt, Vt)- 
The tangent line to i? at T has slope \t = X(T,T) = (3a;f. + a)/(2j/r). We 
define linear forms in indeterminates zi, . . . , zg, 

^T = ELi '^i^i ^10 = ELi ^loiUi)Zi 

Z-T = Yfi=i cr{ui)zi zoi = X;Li ^oi{ui)zi 

where Ui, . . . ,Us is our basis for L over K. Let Qi and Q2 be the quadrics 
with coefficients in L"*" and M"*" defined by 

Qi{zo, ...,zs)= xtzI + P5ZTZ-T 

Q2{Zo, . . . ,Zs) = {\t + f^T)ZoZT — PiZ_rp + P^ZiqZqi 

where the p, are the components of p, and ht = |('-io(At) + '•oi(At) — At). 
Writing each coefficient in terms of fixed i^-bases for L^ and M"^, we obtain 
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[L+ : K] = 4 quadrics from Qi and [M+ : K] = 24 quadrics from Q2. In [T3] 
these are called the quadrics of types I and II. We choose our basis for L+ 
so that its first element is 1, and ignore the first type I quadric. The result 
is 27 quadrics in K[zq, . . . ,zs]. 

Lemma 4.1. These 27 quadrics generate the homogeneous ideal of the de- 
gree 9 curve Cp C P(i?) = P^ 

Proof: Let vi = I,f2,f3,f4 be a basis for L+ over K. We write 

xtzI + p{T, -T)ztZ-T = Y.t=l ViQii^O, ■■■,Zs) 

where gi, . . . , ^4 G K[zo, . . . , zg]. Then ([7]) becomes 

X = qi{zo, . . . , zg) 
= qi{zo, . . . , zs) for 2 = 2, 3, 4. 

We eliminate X by ignoring the first quadric qi. 

Next we take (Ti,T2) = (Tiq,Tqi) and {—T,—T) in ([8]). Subtracting to 
eliminate A^ gives the quadric 

(A(Tio, Toi) - A(-T, -T))zqZt - p{-T, -T)ztj, + p(Tio, Toi)2;io2;oi. 

Assuming that 

(15) A(rio,roi) = i(A(rio,rio) + a(Toi,Toi) - \{t,t)) 

this is precisely the quadric Q2- To complete the proof we note that ( IT5l) is 
a special case of the following lemma. □ 

Lemma 4.2. Let Ti, T2, Tg e ^[3] \ {0} with Ti + Ta + T3 = O. Then 

3 
A(Ti,T2) = i5^A(T„T,). 

Proof: Let fi = y — XiX — Pi be the equation of the tangent line at T, and 
f = y — Xx — u the equation of the chord through Ti, T2 and T3. As rational 
functions on E we have /1/2/3 = /'^- Expanding as power series in the local 
parameter x/y at O it follows that A = |(Ai + A2 + A3) as required. □ 

The remainder of the algorithm is the same for all Galois actions on E [3] . 
As specified in Section 12. 6[ we intersect the above space of quadrics with 
K[zi, . . . ,zs] to leave an 18- dimensional space of quadrics defining the pro- 
jection of Cp C F{R) = P* to F{L) = P^. In other words we eliminate the 
monomials zqz^ by linear algebra. We then make the following changes of 
coordinates 
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• A change of coordinates corresponding to pointwise multiplication by 
the "fudge factor" l/yr G L (relative to the basis Mi, . . . ,u^). This 
is to make up for the fact that the definitions of e in ([9]) and (fT3|) are 
different. We explain this further in Section [71 

• A change of coordinates corresponding to the trivialisation of the 
obstruction algebra. 

We now have 18 quadrics in variables Zij where 1 < «, j < 3. These coordi- 
nates correspond to the standard basis for yidX-^^K). 

Lemma 4.3. Substituting Zij = XiHj gives a basis for the space of (2, 2)-forms 
vanishing on the image of C ^ F"^ x (P^)^. 

Proof: We start with a basis for the 18-dimensional space of quadrics 
vanishing on C C P(Tr = 0). This may be identified with the space of 
quadrics vanishing on C C P(Mat3) that are "singular at Is" . (A quadric is 
"singular at /s" if when we write it relative to a basis for Mat^lK) with first 
basis vector J3, the first variable does not appear.) Substituting Zij = XiHj 
gives a surjective linear map $ from the 45-dimensional space of quadrics 
in Zii,...,2;33 to the 36-dimensional space of (2,2)-forms in a;i,a;2,X3 and 
2/1; 2/2; 1/3- The kernel is spanned by the 2x2 minors of the matrix [zij) and 
is a complement to the space of quadrics "singular at J3". Thus $ induces 
an isomorphism between the space of quadrics vanishing on C C P(Tr = 0) 
and the space of (2, 2)-forms vanishing on the image of C — )■ P^ x (P^)^. D 

We multiply each of the forms constructed in Lemma 14.31 by the Xi to 
obtain 54 forms of bidegree (3, 2). The following lemma shows that there is 
a ternary cubic /, unique up to scalars, such that ylf{xi,X2,X3) belongs to 
the span of these 54 forms. Moreover / is the equation of the curve C C P^ 
we are looking for. 

Lemma 4.4. Let C G F"^ be a non-singular plane cubic with equation / = 0. 
Let V be the space of (2, 2)-forms vanishing on the image o/C — )■ P^ x (P^)^. 
Then yff{xi,X2,X3) is a (3,2)-/orm in the ideal generated by V. Moreover 
this is the only such polynomial up to scalars. 

Proof: By Euler's identity 3/ = J2^i§^ ^e have 

(16) Syff = X2yigi2 + x^yigi^ + §^^yit 

where £ = ^j=i a^iZ/j and gij = yiQ^ — yjg^ are bi-homogeneous forms 
vanishing on the image of C — > P^ x (P^)^. Exactly as in the proof of 
Lemma 12.101 the uniqueness statement follows from the fact that the dual 
curve spans (P^)^. □ 

Lemma 14.41 allows us to compute the ternary cubic / by linear algebra. If 
we had made the wrong choice of sign for the Weil pairing, then the matrices 
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Mi in dH]) would be the transposes of the desired ones; switching the roles 
of the Xi and Hj corrects for this. 

Our implementation in MAGMA over K = ^ finishes by minimising and 
reducing the ternary cubic as described in [15]. The covering map, computed 
using the classical formulae in pj, is also returned. 

5. A GOOD BASIS FOR THE OBSTRUCTION ALGEBRA 

The obstruction algebra Ap = {R, +, *£p) was defined in Section [2^61 In the 
case i^ = Q we explain how to choose a Q-basis for R so that the structure 
constants for Ap are small integers. This is useful for the later parts of our 
algorithm, for example when trivialising the obstruction algebra as described 
in the next section. 

We recall that R is a product of number fields. Its ring of integers Or is 
the product of the rings of integers of these fields. A fractional ideal in R 
is just a tuple of fractional ideals, one for each field, and a prime ideal is a 
tuple where one component is a prime ideal, and all other components are 
unit ideals. 

Let a e R^ represent wi(0 ^oi some ^ G H^{Q, E[n]). We write (a) = be" 
where b is integral and nth power free. We then choose as our Q-basis for R 
a Z-basis for c~^ that is LLL-reduced with respect to the inner product 

(17) {zuZ2)= Yl l«(T)p/"^i(T)^^. 

where the bar denotes complex conjugation. In the remainder of this section 
we explain why this is a good choice. Notice that in defining the inner 
product we have implicitly fixed an embedding Q C C 

We restrict to the case n = 2m — 1 is odd and take for e the square root 
of the Weil pairing, i.e., e{S,T) = en{S,T)"^. By definition of Wi (see [131 
Section 3]) there exists 7 G i? with 7" = a and w{C,a-) = <^{.'l)/l ior all 
a G Gq. Then W2{0 = pdR"" where p = d-f e{R^Ry. 

Lemma 5.1. The structure constants for Ap with respect to a Z-basis for 
c^^ are integers, i.e., {c~^,+,*ep) C Ap is an order. 

Proof: Let p be a prime of R. Put r = ordp(b) and q = ordp(c) so that 
ordp(a) = qn + r with < r < n. Let ,21,-22 G c^^- Then ordp(2;j) > —q 
for i = 1,2. Extending ordp to R and recalling that 7" = a, we have 
ordp(7Zj) > 0. Then 

zi *ep Z2 = Tr(ep • {zi (g) Z2)) 

= 7"^ Tr(£ ■ (72:1 (8)7^2) )• 
Since e E R ®x R is integral and the trace map Tr : R (^k R ^ R preserves 
integrality we deduce ordp(2;i *ep ^2) > —{qn + r)/n. Since this valuation is 
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an integer we must therefore have ordp(2;i *ep Z2) > —q. Repeating for all 
primes p of i? it follows that Zi *ep ^2 G c~^ as required. □ 

Let r G Gq be complex conjugation. (Recall that we fixed an embedding 
Q C C.) Since n is odd we have if -^(R, E\n)\) = and so t(7)/7 = w{^r) = 
w{t{S) — S) for some S G E[n]. Therefore dividing 7 by w{S) we may 
assume that 7 : £"[7^] — )■ Q is GiR-equivariant. It follows by p^ Lemma 4.6] 
that pointwise multiplication by 7 defines an isomorphism Ap (g) M = Ai ® M. 

Let Ti, T2 be a basis for E[n]{C) with Ti = Ti, T2 = — T2 and e„(Ti, T2) = 
(n- We define 
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where the exponent of C,n is an element of 'LjnL. It may be verified that 

h{S)h{T) =e{S,T)h{S + T) 

for all 5", T G E[n]. Hence there is an isomorphism Ai (g> C = Mat„(C) given 
by z I— >■ Y^j, z{T)h{T). Since this isomorphism respects complex conjugation 
it restricts to an isomorphism Ai ® R = Mat„(R). 

Composing the isomorphisms defined in the previous two paragraphs gives 
a trivialisation of Ap over R, i.e., 

(18) Ap(g)M = Mat„(R); z ^ Y^ -f{T)z{T)h{T). 

T€E[n] 

We use this trivialisation first to compute the discriminant of the order 
in Lemma 15.11 and then to explain why we chose the inner product (fT7|) . 
The discriminant Disc(/2) of R is the product of the discriminants of the 
constituent fields. The norm of b C O^ is Norm b = ^^(Oij/b). 



Lemma 5.2. The order O 



:c-\+.* 



sp, 



C Ap has discriminant 



n 



■(Normb)2/"Disc(i?). 

Proof: Let ri, . . . , r„2 be a Z-basis for c~^ mapping to matrices Mi, . . . , M„ 
(say) under the trivialisation flTSj) . Then the discriminant of O is Disc((9) = 
det(Trd(rirj)) = det(Tr(MiMj)). But 

' n iiS + T = 
otherwise. 



Ti{h{S)h{T)) 
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Noting that [—1] is an even permutation of E[n] we compute 

Disc(O) = det(nETeM„]7(T)r,(r)7(-T)r,(-r)), 



n''\UTeElnMTf){d^^ir,iT)),,TY. 



By considering the basis for R = Ma:p{E[n],K) consisting of indicator 
functions it is clear that for 2 G -R we have TTfi/Q{z) = ^^rpziT) and 
Nji/q{z) = YIt^C^)- Since 7 is Gs-equivariant we also have nT7(^) ^ -'^• 
Hence Ur^iTf = |A^H/Q(a)|2/" and 

(det(ri(T))i,T)^ = Disc(ri, . . . , r„2) = (Norm c)"^ Disc(i?). 
Recalling that (a) = be" the result is now clear. □ 

Remark 5.3. If we start with a Selmer group element then the discriminant 
computed in Lemma [5^2] is a product of primes dividing n and primes of bad 
reduction for E. Indeed if p is a prime of R not dividing any of these primes 
then ordp(a) = (mod n). The term Disc(i?) is of the stated form by (the 
easier implication of) the criterion of Neron-Ogg-Shafarevich. 

Next we give some justification for our choice of inner product. (See also 
Section [675] and the examples in Section |8l) 

Lemma 5.4. The real trivialisation / f7^) identifies the inner product (|7^ 
with (a scalar multiple of) the standard Euclidean inner product { , ) on 
Mat, 



Proof: Extending ( , ) to an inner product on Mat„(C) we have 

iHS),hiT)) = i^'^ other^wL 
Therefore ii zi, Z2 e R map to Mi, M2 G Mat„(M) then 

{M^,M2) = T2ETei.[n]l7(T)P^i(T)^^ 



= T2ETei.Nl«mp/"^im^2(T). 

n 

In principle we could now bound the size of the structure constants. But in 
practice the structure constants are much smaller than these bounds would 
suggest. (We encounter a similar situation at the end of Section 0) 

6. Inside the "Black Box" 

Our work on n-descent on elliptic curves requires us to make the Hasse 
principle explicit. In the case n = 2 this means we have to solve a conic in 
order to represent a 2- Selmer group element as a double cover of P^ rather 
than as an intersection of quadrics in P^. In this section we discuss the 
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general case, and in particular give an algorithm that is practical when K = 
Q and n = 3. See [21] for an algorithm for general K and n based on similar 
ideas, and a complexity analysis. 

6.1. Central simple algebras. We recall some standard theory. See for 
example [lO, Part II]. Let K he a. field. A central simple algebra A over K 
is a finite-dimensional algebra over K with centre K and no two-sided ideals 
(except and A). Wedderburn's Theorem states that A is then isomorphic 
to a matrix algebra over a division algebra (i.e., skew field) D with centre 
K. The Brauer group Br(i^) of K is the set of equivalence classes of central 
simple algebras over K, where A and A' are equivalent if they are matrix 
algebras over the same division algebra D. The group law is given by tensor 
product, i.e., [A] ■ [A'] = [A ®k ^'], and the inverse of [A\ is the class of the 
opposite algebra ^4°^ obtained by reversing the order of multiplication. The 
identity element is the class of matrix algebras over K. 

If A is a central simple algebra over K and L/ K is any field extension 
then Al = A ®x -^ is a central simple algebra over L. The reduced trace 
and norm are defined as Trd(a) = tr((^(a)) and Nrd(a) = det{(p{a)) where 
if : A-j^ = Mat„(i^) is an isomorphism of iT- algebras. These definitions are 
independent of the choice of if by the Noether-Skolem theorem. We likewise 
define the rank of a e A to be the rank of ip{a). 

Now let i^ be a number field. For each place v oi K there is a natural map 
Br{K) -^ Br{K^) given by [A] ^ [Ak,]. We recall [321 Section 32] that Ak, 
is a matrix algebra over K^ for all v outside a finite set of places depending 
on A. It is then one of the main results of class field theory that the map 

(19) Br{K) -^ Bt{K,) 

vGMk 

is injective. Explicitly, this says that a central simple algebra A over K can 
be trivialised (i.e., is isomorphic to a matrix algebra over K) if and only it 
can be trivialised everywhere locally. In particular deciding whether a central 
simple algebra over K can be trivialised is essentially a local problem, given 
some global information restricting the places to consider to a finite set. This 
latter usually involves factorisation. 

6.2. Statement of the problem. The problem we address is rather differ- 
ent. Given a ii'-algebra A known to be isomorphic to Mat„(ii'), we would 
like to find such an isomorphism explicitly. More specifically, we want a 
practical algorithm that takes as input a list of structure constants Cijk G K, 
giving the multiplication on A relative to a i^-basis ai, . . . , 3.^2 by the rule 

k 
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and returns as output a basis Mi, . . . , M„2 for Matn{K) satisfying 
(20) MiMj = J2ci,kMk. 

k 

The output is far from unique, as we are free to conjugate the Mi by any 
fixed matrix in GLn{K). 

6.3. Zero-divisors. Let A be a central simple algebra of dimension n^ over 
a field K. If n is prime then by Wedderburn's theorem either A = Mat„(i^) 
or A is a division algebra. In particular A = Matn(i^) if and only if it 
contains a zero-divisor. 

Once we have found a zero-divisor it is easy to find a trivialisation A = 
Mat„(i^). More generally (i.e., dropping our assumption that n is prime) it 
is enough to find x E A oi rank r with {r,n) = 1. Indeed as A- modules we 
have Ax = M^ and A = M" where M is the unique faithful simple module. 
By taking kernels (or cokernels) of sufficiently general A-linear maps we can 
apply Euclid's algorithm to the dimensions and so explicitly compute M. 
Since the natural map A — )■ Endx(M) = Mat„(i^) is an isomorphism, this 
gives the required trivialisation of A. 

6.4. Maximal orders. Let A be a central simple algebra of dimension n^ 
over Q. An order in A is a subring O G A whose additive group is a free 
Z- module of rank n^. Thus a Q-basis ai = 1, 02, ... , 0^2 for A is a Z-basis for 
an order O if and only if the structure constants are integers. We can reduce 
to this case by clearing denominators. The discriminant of O is defined as 

Disc(C) = |det(Trd(aiaj))|. 

A maximal order O G A is an order that is not a proper subring of any 

other order in A. It is shown in [331 Section 25] that all maximal orders 

in A have the same discriminant, which we denote Disc(yl). Moreover if 

2 



lp\ = ^p 



Aq = Mat^ (-Dp) where Dp is a division algebra over Qp with [Dp : 
then 

(21) Disc(A) = (JJp(™p-i)«p)". 

p 

By the injectivity of i^ it follows that A ^ Mat„(Q) if and only if Disc(A) = 
1 and A^ = Mat„(R). (In fact we can dispense with the real condition, in 
view of the description of the image of (TT9|) also given by class field theory.) 
It is well known that every maximal order in Mat„(Q) is conjugate to 
Matn(Z). By computing a maximal order our original problem (in the case 
K = Q) is reduced to the following: given structure constants for a ring 
known to be isomorphic to Mat„(Z), find such an isomorphism explicitly. 
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6.5. Lattice reduction. Let L C M™" be a lattice spanned by the rows of 
an m by m matrix B. Tlien det L = \ det -B| depends only on L and not on 
B. By the geometry of numbers, L contains a non-zero vector x with 

||x||2<c(detL)2/™ 

where c is a constant depending only on m. (Here, ||x|| = (Y^'iLi^lY^'^ i^ 
the usual Euclidean norm.) The best possible value of c is called Hermite's 
constant and denoted 7^- Blichfeldt P] has shown that 

Let A be a central simple algebra over Q of dimension n^. For n G {3, 5} 
the following argument gives a direct proof that if Aq^ = Mat„(Qp) for 
all primes p then A = Mat„(Q). (This should be viewed as generalising the 
geometry of numbers proof of the Hasse principle for conies over Q.) First let 
O he a maximal order in A. Since n is odd we may trivialise A over the reals, 
and hence identify C as a subring of Mat„(M). We identify Mat„(M) = M" 
in the obvious way. Then 

Disc(C) = (det5)2Disc(Mat„(Z)) 

where B is an n"^ by n"^ matrix whose rows are a basis for O. Our local 
assumptions show by ( 12T|) that Disc((9) = 1. Since Disc(Mat„(Z)) = 1 it 
follows that det O = \ det B\ = 1. Hence by the geometry of numbers there 
is a non-zero matrix M e O C Mat„(M) with ||M||2 < 7^2. Bhchfeldt's 
bound (I22!) gives 

2 / 12' \^/^ 
79 < - [^I^V^) - 2.24065, 

2/28! ^ ^^^^ 



Hence ||M|p < n. Applying the Gram Schmidt algorithm to the columns of 
M, we can write M = QR where Q is orthogonal and R is upper triangular, 
say with diagonal entries ri, . . . , r„. Then by the AM-GM inequality 

n n 

IdetMl^/" = iHr^y/- < ij^rf < ^J\R\\^ = l\\M\\' < 1. 

i=l i=l 

But det M is the reduced norm of an element of O, and therefore an integer. 
Hence detM = 0, i.e., M is a zero-divisor. As we have seen, this implies 
that A = Mat„(Q) (recall that n is prime). 

This proof suggests the following algorithm. Starting with a Q-algebra A, 
known to be isomorphic to Mat„(Q), we perform the following steps. 
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• Compute a maximal order O C A. (See for example [28] 
or the MAGMA implementation by de Graaf.) 

• Trivialise A over the reals. In practice (for n odd) we split the algebra 
by a number field of odd degree, and then take a real embedding. 

• Use the real trivialisation to embed O as a lattice in Mat„(M) = M" . 
Then compute an LLL-reduced basis for O. 

• Search through small linear combinations of the basis elements of O 
until we find an element with reducible minimal polynomial. If n is 
prime we can then compute a trivialisation as described in Section [631 

In practice for n G {3, 5} the first basis vector of (9 is a zero-divisor, and so 
no searching is required in the final stage. (The bounds in the LLL-algorithm 
are unfortunately not quite strong enough to prove this. In the case n = 3 
we were able to rectify this by proving an analogue of Hunter's theorem 
|27j . [HI Theorem 6.4.2]. We omit the details.) For general n the algorithm 
still finds a basis for A with respect to which the structure constants are 
small integers, and is therefore worth applying before attempting any other 
method (for example using norm equations). 

We give some theoretical justification for the last remark. Suppose O C 
Mat„(M) has basis Mi, . . . , M„2. As observed above, the n^ by n^ matrix B 
whose ith row contains the entries of Mj has determinant 1. So by Cramer's 
rule the structure constants (defined by f l20|) ) satisfy 

(23) |ci,-fc| < ||M,M,-|| JJ||M,||. 

2 

The LLL algorithm bounds HiLi ll^«ll t"y a constant depending only on n. 
So either | |Mj| | < ^/n for some i, in which case we have found a zero-divisor, 
or the ||Mj|| are bounded by a constant depending only on n. In this latter 
case, by ( l23l) and the fact ||MjMj|| < ||Mj|| ■ ||Mj||, the structure constants 
are also bounded by a constant depending only on n. These constants turn 
out to be rather large - but fortunately the method works much better in 
practice. 

7. Projecting to the rank 1 locus 

In this section we explain the "fudge factor" l/yr used in our description 
(see Section Hj) of the Segre embedding method in the case n = 3. 

Let E/K be an elliptic curve. We write Tp : E -^ E for translation by 
P & E. The theta group of level n for E is 

e^ = {(/, T) E K{Er X E[n] : div(/) = T*T{n{0)) - n{0)} 

with group law 

(/i,Ti) * (/2,r2) = (4,(/i)/2,ri + r2). 
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It sits in an exact sequence 

O^Grn^OE^ E[n] -^ 

where the structure maps a and /3 are given by a : A i— ;■ (A, O) and f3 : 
{f,T) I—)- T. The commutator is given by the Weil pairing, i.e., xyx^^y~^ — 
aen{(3x, /3y) for all x,y ^ Qe- 

The construction of the obstruction algebra depends on an element e G 
{R ^K R)^ ■ In [13] it is shown that we can take 

0(rO0(T2) 

where cf) : E[n] ^ Qe is any Galois equivariant set-theoretic section for (3. 
This element has the property that 

(24) £(Ti,T2)£(T2,Ti)-i =e„(Ti,T2). 

If we change by multiplying by an element z G R^ (viewed as a map 
E[n] — )■ K ) then e is multiplied by dz. It is shown in p^ Lemma 4.6] that 
this does not change the obstruction algebra (up to isomorphism). 
One choice of is to take 

0(T) = (FT,-T)-i = (4(l/FT),r) 

where the Ft are the functions with divisor n{T) — n{0) scaled as specified 
at the start of Section 12.61 Then 

0(Ti)0(r2) = (r;^(l/FTj,Ti) * (4^(1/FtJ,T2) 

= (r;^+^,(l/FTjr;^(l/F:rJ,Ti +T2) 

_ t*^+t^{Ft,+t,) , . 

This gives the formula iQ cited in Section 12.61 We recall from fi3\ §3] that 
when n = 2m — 1 is odd an alternative choice of e (suggested by fl2^ ) is 

(25) £(Ti,T2) = e„(Ti,T2)'". 

This choice of e corresponds to choosing cf) so that l{(I){T)) = (j){T)^^ and 
</)(T)" = 1 for all T e E[n\, where l : Qe -^ 0_e is the involution {f,T) ^^ 
(/ o [—1], — T). Indeed applying the involution i to 

0(Ti)0(T2)=£(Ti,T2)0(Ti+T2) 

gives 

0(Ti)-V(T2)-^ = £(Ti, T2)0(Ti + T2)-' 
and so 

en{T,,T,) = 0(Ti)0(r2)0(Ti)-V(r2)-i = e{T,,T2Y 
as required. 
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The formulae ([9]) and ( l25l) differ by du where u & R^ satisfies 

l{u{T)Ft,-T) = {u{T)FT,-Tr' 
{u{T)Ft, -TY = 1 
equivalently 

(26) u{TfFT{P)FT{T -P) = l 

(27) u{TrU7=oMP + ^T) = l 

where P & E is arbitrary, subject to avoiding the zeros and poles of these 
functions. Taking P = mT in (l26l) gives 

m(T) = ±l/FT(mT). 

We check that the sign is independent of T G E[n] \ {O}. If Galois acts 
transitively on E[n] \ {0} then this is already clear. In general we use (!27|) 
and the following lemma. 

Lemma 7.1. Let n > 3 be an odd integer and O ^ T & E[n\ a point of 
order r. Then the rational function 

gr.P^ Ft{P + iT)Ft{P + (1 - i)T) 
satisfies 



9i{0) =- \ „,(rr\^2 



u{Ty^ if i^ 0,1 (modr) 
—u{T)~'^ if i = 0,1 (mod r) 



Proof: By (!26|) the rational function 

hi-.P^ Ft{-P + iT)FT{P + (1 - i)T) 

is constant with value u{T)~'^. If i ^ 0, 1 (mod r) then gi and hi take the 
same value at P = O. If i = 0, 1 (mod r) then an extra minus sign arises 
since Ft has a pole of odd order at O. Indeed expanding Ft as a power series 
in i = x/y about O it is clear that the rational function P i— )■ Ft{—P)/Ft{P) 
takes value — 1 at P = O. □ 

To compute the product in (127|) we put P = O in 

n— 1 m— 1 

II Ft{P + iT) = Ft{P + mT) J] g,{P) 

i=0 i=l 

and use Lemma [7. 1[ Since n/r is odd we find that u{T) = —l/FT{mT) for 
all T e E[n] \ {O}. 

In the case n = 3 we recall that relative to the Weierstraf5 equation y"^ = 
x^ + ax + b we have 

Ft{x, y) = {y- yT) - Ar(x - Xt) 
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where At is the slope of the tangent hne at T = {xt^Vt)- Therefore u{T) = 
-1/Ft{-T) = 2/yT. 

In Section [2l6] we took e given by ([9]). In Sections H] and [5] we took e given 
by (1251) . This difference does not matter when computing the obstruction 
algebra, but it does matter when we subsequently compute equations using 
the Segre embedding method. For instance, if we used the wrong e then 
it would not be true (after projection to the trace zero subspace) that we 
get a curve in the rank 1 locus of P(Mat„). In view of [131 Lemma 4.6] the 
situation is remedied by multiplying by the factor u(T). (Here we use the 
usual pointwise multiplication in R.) In Section H] we used the factor I/i/t- 
The constant 2 (or indeed any scalar in K^) can be ignored since the scalar 
matrices act trivially on projective space. 

8. Examples 

We refer to ^0] for examples using our work on 3-descent to find points 
of large height on elliptic curves over Q. Here we instead use 3-descent to 
construct explicit non-trivial elements of the Tate-Shafarevich group. We 
also give examples to show that the obstruction map is not linear. See the 
accompanying MAGMA file for further details of these examples. 

8.1. An element of HI [3]. Let E/Q be the elliptic curve 

y"^ ^xy = x^ + x^ - 1154x - 15345 

labelled 681bl in [TT]. This curve has generic 3-torsion in the sense that the 
map pe,3 '■ Gq — !■ GL2(Z/3Z) is surjective. We work with the Weierstrafi 
equation y'^ = x^ + a/^x + ag where 04 = —1496259 and a^ = —693495810. 
Relative to this Weierstrafi equation a 3-torsion point is given by T = (xt, yr) 
where 

XT = I2u^ - 36^2 + 2115, yr = -2820m^ - 144m^ + 16920m^ - 662268m, 

and M is a root of f{X) = X^ - 6X^ + 235X2 - 3. The slope of the tangent 
line at T is Ar = (3x^ + a^)/{2yT) = -3m^ + 15^^ - 705m. 

Using the algorithm in [36j (see Section 12.31 for a summary) we find that 
Se^^''(-E/Q) = (Z/3Z)2. One of the non-trivial elements is represented by 

a = ^{u^ -u^- 9m^ - hu^ - 27m - 3). 

In this example we find the corresponding plane cubic. 

Let L = Q(m) and M = L{v) where m is a root of 



g(^X) = '; > =X^ + u'X^ + (m^ - 6)X2 + m'^ - 6m2 + 235. 



We also put L+ = Qiu^) and M+ = Liy"^). Let a and r be the auto- 
morphisms generating Gal(L/L+) and Gal(M/M'^). The polynomial f{X) 
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splits over M with roots iw, ±f, i-uio and i-uoi- There are embeddings 
Lio : L —^ M and lqi : L ^ M given by m i— )■ uiq and u h-> uqi- We choose 
Uio and Mqi so that t{uiq) = -Uqi and 610(7") + ''Oi(^) = T. 
Following the description in Section H] we put 

R = Qx L and R'S)R = QxLxLxLxLxM. 
Then a = (1, a) and p = (1, 1, 1, cr(a)/s, s, t/s) where s = —u"^ and 
t = ^(^7 _ ^5 _ 5^3 _ 27^2 ^ 240u - 27)?;^ 

+ 4^6 (-2m^ + 2m^ - 27m^ + IOm^ - 237m + 27)f ^ 

+ ik(~"^ - ^^^ + u^ + 86u^ + 5W - 240m + 45). 

We put e = (1, 1, 1, 1, 1, C3) where (^ E M is a primitive cube root of unity. 
It is not worth recording our choice of (^ since a different choice only has the 
effect of reversing the order of multiplication in the obstruction algebra. 
The basis for L as a Q- vector space suggested in Section [5] is 

Ml = 1, 

U2 = i(-M^ + 6M^-235M), 

M3 = ^(80m^ - 9m^ + m^ - 481m^ + bAu"^ + 18795m - 2124), 



uj = -^(97m^ - 9m*^ + 2m^ - 584m^ + GSm^ + 22785m - 2133), 

Ms = ^(462m^ - 53m^ + 6m^ - m^ - 2769m3 + 319m2 + 108549m - 12423). 

Then R has basis ri,...,rg where ri = (1,0) and r^+i = (0,Mj). Let A 
be the obstruction algebra {R, +, *ep) with basis ai, . . . , ag corresponding to 
ri, . . . , rg. Then ai is the identity, and left multiplication by a2 is given by 

ao ^ — 3a3 — 3a5 — 3aQ, 
a2a3 = 2a2 + 3a3 + 3a8, 

^^2^8 ^ '^^2 — ^^3 "I" 9a4 — 3a8, 

a2ag = — 3ai + 4a2 + 3a3 — 3a5 + 6a6 — 3a7 + 3a8. 

We do not record the full table of structure constants, but note that the above 
sample is typical in that most entries are single digit integers. (Alternatively 
the full table may be recovered from the trivialisation given below.) The 
basis vectors aj have minimal polynomials 

X -1, X^ + 162, X^ - \2X - 227, X^ X^ - VIX - 470, X^ - VIX - 470, 

X^ - U7X - 367, X^ - 201X + 1307, X^ + 123X + 254. 
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Notice that a4 is a zero-divisor, so in this example it is particularly easy to 
find a trivialisation. 

The discriminant of L is 3^^ • 227^ and the ideal generated by a is a cube. 
As predicted by Lemma 15.21 the order with basis the aj has discriminant 
I det(Trd(ajaj))| = 3^° ■ 227^. A basis for a maximal order in A is given by 

bi = ^(ai + 56a6 + 126a7 + lOlag + 2438a9), 

bs = 2M3 ("^^2 + 38a4 + 471a5 + 95432a6 + 50049a7 + 75876a8 + 1408079a9), 

bg = 2M3 (^3 + 167a4 + 543a5 + 175106a6 + 57658a7 + 87258a8 + 1872296a9), 

b4 = 5(a4 + 529a6 + 2041a9), 

bs = ^(as + 159a6 + 105a7 + leOag + 2802a9), 

be = l{ae +^9), 
b7 = i(a7 + 8a9), 
bs = 5(a8 + 8a9), 
b9 = a9 

with minimal polynomials 

X^-X^ + 67882988X + 153570178243, X^ + 46000395X + 93752525874, 

X^ + 80434914X + 198363227932, X^ + 4444433X + 1099577331, 

X^ + 84844655X + 243745052250, X^ - 3X, 

X^ + 725X + 3507, X^ + 671X + 9393, X^ + USX + 254. 

In defining the bj we have not made use of the fact the a^ are already LLL- 
reduced with respect to a real trivialisation. The simplest way to correct for 
this is to run LLL on the rows of the change of basis matrix. So instead of 
the bj we consider the basis 

h[ = 2^(-12a2 - 63a3 - 4a4 - 73a6 + 18a7 + 8a9), 
b'2 = 2^(-81a2 - 28a3 - 27a4 + 18a6 + 8a7 + 54a9), 

b'g = 2o^(-36a2 + 37a3 + 48a4 + 138a5 - 81a6 - 173a7 - 90a8 + 24a9), 
bg = 2(5^(— 681ai — 27a2 — 85a3 — 9a4 + Gag — 73a7 + 18a9) 

with minimal polynomials 

X^, X^, X^, X^-X, X^-X, X^, X^-X, X^-X, x^ + x 

Now every vector in our basis is a zero-divisor! (Recall that to find a triv- 
ialisation we only needed to find one zero-divisor.) Using the method in 
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Section 16.31 we find a trivialisation: 



3.4 l-> 




a2 



as 



aj I-)- 



as ^ 




We recall that R = QxL and L has basis Mi, . . . , Ug- The space of quadrics 
vanishing on the projection of Cp C P(-R) to ^{L) has basis 

qi = Z^Zq — Z^Zq — Z^Z-j + Z^Z^ + ^7^8) 

(h = 2^:1^6 — 2:32:6 + z^z^ + 2:5 — 2:52:8 — 22:52:7 + 2:52:8, 
ga = —2:12:6 — 2:32:5 — 22:42:5 + 242:5 + 2:5 — 2:52:5 + 2:02:8, 



gi8 



Z^ — ZiZ^ 



Z1Z4 + 21^5 + ZZiZq — ZiZj — Z2Z4 + 222^5 
+ 2^324 — 2^325 — ^3^6 — ^3^7 + 323^8 + 2^4 



ZZ2ZQ ZZn 

Z^Z^ -p Z^Zq — 'iZ^Zj 



— Z^Zg + Z^Zq + 32:5^7 + ^5^8 + % + 2Z6^7 + ZqZs — Zj — Zg. 

Multiphcation by the factor l/yr G L (relative to the basis ui,...,us) 
followed by the above trivialisation, prompts us to substitute 

Z2 
Z3 
Zi 

Z-> 

za 

Zl 
\Z8/ 

Next we substitute Zij = XiHj to give 18 forms of bidegree (2, 2). Multiplying 
each of these by the Xi gives 54 forms of bidegree (3,2). We then solve 
by linear algebra for the ternary cubic Fi (unique up to scalars) such that 
ylFi{xi,X2,x^) belongs to the span of these forms: 

Fi(x, y, z) = Sx"^ — 13x'^y + Ax'^z + 2xy'^ + xyz — y^ — 5y'^z — yz^ + z^ . 

This is the ternary cubic corresponding to a. Since £'(Q)/3£'(Q) = it 
represents a non-trivial element of III(£'/Q)[3]. In general we now minimise 
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and reduce using the algorithms in [15]. However in this example we find 
that Fi is already minimised and close to being reduced. 

Repeating for different a we find that the other non-trivial elements of 

III(£'/Q)[3] are represented by 

F2{x, y,z) = X + 6x y + Ax z + Axy + 5xyz + 2xz + y — 3y z + 7yz + 6z , 

F^{x, y,z) = X — 2x y — x z — 7xyz + 8xz + 4y — 5y z + 6yz + z , 

Fi{x, y, z) = x^ - 2x^z + Axy"^ + 'ixyz - bxz^ - y^ + Qy'^z + 2yz^ + 7z^. 

We recall that inverses in the 3-Selmer group are represented by the same 
cubic with different covering maps. Thus our 3-descent programs return a 
list of (3^ — l)/2 ternary cubics where s is the dimension of the Selmer group 
as an F3- vector space. 

We have computed equations for all elements of III(£'/Q)[3] for all elliptic 
curves -E/Q of conductor Ne < 130000. The results can be found on the 
website |23]. In compiling this list we only ran our programs on the elliptic 
curves with analytic order of III divisible by 3, and did not compute the class 
groups rigorously. Thus the completeness of our list remains conditional on 
the Birch-Swinnerton-Dyer conjectureo It is however unconditional that 
every cubic in our list is a counterexample to the Hasse Principle. 

8.2. Adding ternary cubics. We give two examples to show that the ob- 
struction map for 3-coverings is not linear. These generalise the example for 
2-coverings given in [121 Section 5]. 
Let -E/Q be the elliptic curve 

y'^ + xy + y = x^ — x^ + 40x + 155 

labelled 126a3 in [TT]. The ternary cubics 

Fi (x, y, z) = x + xy — xyz + xz + y + 3y z — 6yz + z 
F2{x, y, z) = 2x^y + 2x'^z + 3xy^ - xyz + 2xz^ + 2yz^ + 2z^ 

represent 3-coverings of ii^ with A(Fi) = t^iF^) = Ae = — 2^-3^-7^. Whereas 
the second of these has the obvious rational point (1:0:0), the first is not 
locally soluble at the primes 2 and 7. 

Let K = Q(C3) where (^ is a primitive cube root of unity. Then £"(7^) [3] = 
(Z/3Z)2 generated by P = (1, 13) and Q = (-6, 13 + 2IC3). By the formulae 
in [19j these points act on the first cubic via 

/I 0\ 

M^P^ = I -1 11 M^^^ 





^However, for curves of rank and 1 and conductor < 5000 the full BSD conjecture 
has recently been verified by R.L. Miller. 
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and on the second cubic via 

/O -3 -1\ /I 4 + 2C3 -4C3 

Mf= 2 2 -2 M^')= 4 + 2C3 1 - Cs 2 + 4(3 
V-2 -2/ \ -2C3 1 + 2C3 -2 + C3. 

Taking determinants shows that the 3-coverings are represented as elements 
of H\K, E[3]) ^ irV(ir^)3 X irV(ir^)3 by 

'1-2C3 



«! = (IjCs) and 0:2 = I 28 



We recall from [32] that in this split torsion case, the obstruction map 

Ob3 : H\K,E[3]) -^ Bt{K)[3] C ©pBr(irp)[3] 

is given by the local 3-Hilbert norm residue symbols, subject to identifying 
Br(ii'p)[3] = |Z/Z = yU3. It is routine to check (see for example the exercises 
in [7]) that (28, (1 - 2C|)/(1 - 2C3))p = 1 for all primes p of K, but 

(28,C3)p = n^ ifp|2orp|7 
^ '^■^■'^ 1^ 1 otherwise. 

Thus Ob3(a;i) = Ob3(a2) = yet Ob3(aiQ;2) 7^ 0. This shows that the sum 
of our two 3-coverings cannot be represented as a ternary cubic over Q (or 
even K). In particular the obstruction map is not linear. 

We give a second example to show that this behaviour is not peculiar to 
the split torsion case. Let E/Q be the elliptic curve 

y"^ + xy + y = x^ - 43x - 490 

labelled 1722fl in [TTj. The Galois action on the 3-torsion of E is generic. A 
non-trivial 3-torsion point is 

T ={^{u'^ + 9m^ + 315^2 + 1979), ^(-643m^ - 117m'^ 

- 1755u^ - 1053u^ - 166257^3 - 36855^2 - 888689u - 254007)) 

defined over L = Q(m) where m is a root of X^ + 234^^ + 1256X2 - 4563. 
The ternary cubics 

Fi{x, y, z) = x^ - Ix^z + Ixy^ + xyz + 3xz^ + 2/^ + 3y^z - yz^ + 1z^ 

Fiix, y, z) = 3x^y + x^z — xy^ + 3xyz — 2xz^ + y^ + ^yz^ + z^ 

represent 3-coverings of E with 

A(Fi) = A(F2) = ^E = -2^ ■ 3^ ■ 73 ■ 41. 

Whereas the second of these has the obvious rational point (1:0:0), the 
first is not locally soluble at the primes 3 and 7. The corresponding elements 
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of L^/(L^)^, computed using the formula in [T9], are 

- 16419m2 - 20173m - 126503), 
02 =gig(-253M^ + 364^6 - 793m^ + 1092m^ - 58695^3 

+ 81172^2 - 457635m + 616252). 

We now attempt to compute a cubic corresponding to a = aia2- The basis 
for L suggested in Section [5] is 



Ul 



U2 



i:^(15n'^ + Uu^ - 65m^ + 13u^ + 4069w^ + 3055^2 - 2675n - 10569), 



39936 



igg(-7n'^ + 26u^ + 65u^ - 130u^ - 1885^^ + 642211^ + 5859n - 8814), 



19968 



U7 = 19^ (7u^ - 13u^ - 13n^ + U3u'^ + 1781u^ - 4615^^ - 331 In + 14469), 

Us = 135X2 (3^*^ + 13u^ - 13n5 - 195^"^ + 481n^ + 3471n2 + 1129n - 7449). 

Proceeding exactly as in Section 18.11 we compute structure constants for 
the obstruction algebra A. Again ai is the identity and a portion of the 
multiplication table (describing left multiplication by a2) is as follows. 

^2 ^ o6ai — 2^2 — 2^3 -\- 2^5 -\- oSLq — ZSij -\- 2ag -r ag, 

a2a3 = ai + 6a2 + 4a3 + 7a4 + 2a5 - 8a6 + 7a7 - 4a8 + ag. 



a2a8 = 28ai - 6a2 - 4a3 - a4 - 5a5 + ae - 5a7 + 7a8 + 2a9, 
a2a9 = — 39ai + 12a2 + 6a3 + 3a4 — as — 2a6 — ag + 4a9. 

We have (a) = pq^c^ where p and q are distinct primes of norm 7'^. As 
predicted by Lemma [5^ the order with basis the a^ has discriminant 2^ ■ 3^^ • 

We computed a maximal order and found it has discriminant 3^-7^. It 
follows by fl2Tl) that A does not split. Alternatively we may check this by 
reducing to a norm equation (see for example [26]). To this end we put 

u = ^(-82ai - 21a2 - 32a3 - 4a4 - 37a5 + 26a6 + 23a7 + 25a8 + 13a9), 
V = 2|6(256a2 + 225a3 - 80a4 + 166a5 - 224a6 - 335a7 - 81a8 + 104a9). 

The minimal polynomial of u is X^ + X^ — 4X + 1 with discriminant 13^. 
Moreover vuv~^ = m^ + m — 3 and v^ = h where 6 = 3^ • 5 • 7^. Thus A is 
the cyclic algebra (-F/Q, cr, h) where F = Q{u) and a : u ^-^ u^ + u — 3. In 
particular A splits if and only if there exists 9 E F with Np/q{9) = b. Since 3 
and 7 are inert in F the norm equation is not locally soluble at these primes. 
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In conclusion the 3-coverings defined by Fi and F2 have trivial obstruction, 
but their sum does not. 
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